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Abstract. We describe an algorithm to count the number of rational 
points of an hyperelliptic curve defined over a finite field of odd character- 
istic which is based upon the computation of the action of the Frobenius 
morphism on a basis of the Monsky-Washnitzer cohomology with com- 
pact support. This algorithm follows the vein of a systematic exploration 
of potential applications of cohomology theories to point counting. 
Our algorithm decomposes in two steps. A first step which consists in 
the computation of a basis of the cohomology and then a second step 
to obtain a representation of the Frobenius morphism. We achieve a 
0(g 4 n s ) worst case time complexity and 0{g i n i ) memory complexity 
where g is the genus of the curve and n is the absolute degree of its base 
field. We give a detailed complexity analysis of the algorithm as well as 
a proof of correctness. 



1 Introduction 

The problem of counting the number of rational points on a smooth projective 
algebraic curve denned over a finite field has attracted a lot of attention in recent 
years driven by well known cryptographic applications. 

The known point counting algorithms for a curve C over a finite field k with 
Jacobian J(C) can roughly be divided in two large classes, the £-adic algorithms 
and the p-adic algorithms. 

The ^-adic point counting algorithms can be interpreted as the computation 
of the action of the Frobenius morphism on the ^-adic Tate module of the Ja- 
cobian, I being prime to the characteristic of the base field. The ^-adic point 
counting algorithms all follow an original idea of Schoof [Sch98] which consists 
in computing the action of the Frobenius morphism on the group of ^-torsion 
points of J(C) for primes £ big enough to recover the zeta function of the curve 
by the Chinese remainder theorem. In the case that C is an elliptic curve, this 
first algorithm has subsequently been improved by Elkies, Atkin and other au- 
thors [Elk98,Sch98] and resulted in a very efficient algorithm. Some of these 
techniques have been adapted in the case of higher genus curves [Pil90] but 
some improvement have yet to be done in order to be able to reach crypto- 
graphic size fields. Nevertheless some progress has been made [Gau00,Gau02a] 
in that direction. 



On the other side, the p-adic point counting algorithms can be interpreted 
as the computation of the action of the Frobenius morphism on some p-adic 
cohomology group. The first such algorithm has been described by Satoh [SatOO]. 
The algorithm of Satoh relies on the computation of the action of the Frobenius 
morphism on the invariant differential forms of the canonical lift of an ordinary 
Jacobian. It has been generalised and made more efficient in a series of papers 
[SST03,Mes01,Mes02,Gau02b,LL03,LL06]. Other authors have explored other 
possible representations of the Frobenius morphism. In [KcdOl], Kedlaya explains 
how to obtain a basis of the Monsky-Washnitzer cohomology of an hyperelliptic 
curve and compute the Frobenius morphism acting on it. Lauder used Dwork 
cohomology to obtain general point counting algorithms [LW02,LW04]. Later on, 
Lauder introduced deformation techniques in which one consider a one parameter 
family of curves and use the Gauss-Manin connection in order to carry over this 
family the action of the Frobenius morphism [Lau04] . 

Pursuing the exploration of possible p-adic cohomology theories, we propose 
in this paper to use Monsky-Washnitzer cohomology with compact support. This 
cohomology theory comes with a Lefschetz trace formula and as a consequence 
can be used to compute the number of rational points of a curve defined over a 
finite field. Starting with an hyperelliptic curve defined over a finite field of odd 
characteristic, we explain how to represent elements of the Monsky-Washnitzer 
cohomology with compact support and obtain a basis of this vector space. Then 
we compute the representation of the Frobenius morphism. 

Our algorithm breaks into two steps. The first step is the computation of a 
basis of the Monsky-Washnitzer cohomology with compact support. Unlike the 
case of the algorithm of Kedlaya this step is non trivial from an algorithmic 
point of view. The two main features of this part of our algorithm is: 

— The use of the stability of the cohomology of Monsky-Washnitzer with com- 
pact support by finite etale descent to reduce the computation of a basis 
of the cohomology to the computation of a basis of the global horizontal 
sections of an isocrystal over the affine line. These global sections verify a 
differential equation provided by the Gauss-Manin connection that we inter- 
pret as the solutions of a linear system. This is the so called global method. 

— Unfortunately, the global method is inefficient since it involves the inversion 
of a matrix the size of which is in the order of the analytic precision required 
for the computations. We explain how to speed up the computation of the 
basis by taking advantage of local inhomogeneous differential equations de- 
duced from the Gauss-Manin connection. Once we have computed global 
solutions for the Gauss-Manin connection up to a small analytic precision 
it is possible to prolong them locally using an asymptotically fast algorithm 
such as [BCO+07]. 

The second step of the algorithm is the computation of a lift of the Frobenius 
morphism as well as its action on a basis of the cohomology. The computation 
of a lift of the Frobenius morphism that we describe in this paper is standard, 
being just an adaptation of [KedOl] to our case. Nonetheless, for the action of 
the Frobenius morphism, we explain how it is possible to turn into an efficient 



algorithm the knowledge of local differential equations deduced from the twist 
of the Gauss-Manin connection by the Frobcnius morphism. 

We give a proof of correctness for our algorithm. As usual for the p-adic 
algorithms, the main problem lies in the assessment of the analytic and p-adic 
precisions necessary to recover the characteristic polynomial of the Frobcnius 
morphism. For this we used a variant of a result of Lauder [Lau06]. We pro- 
vide the algorithm with a detailed complexity analysis. In this complexity esti- 
mate, we suppose that the characteristic p of the base field of the hyperelliptic 
curve is fixed and consider complexity bounds when the genus g and the ab- 
solute degree n of the base field increase. Using the soft-0 notation to neglect 
the logarithmic terms, we obtain a 0(g 4 n 3 ) time complexity with a 0(g 3 n 3 ) 
memory consumption. In order to achieve this time complexity, we use in an 
essential manner asymptotically fast algorithms to compute with power series 
[ASU75,BSSar,PS73,BCO+07]. We remark that the worst case complexity of our 
algorithm has the same complexity bound in n as the algorithm of Kedlaya but 
nonetheless a better behaviour with respect to the genus. 

Organisation of the paper In Section 2, we recall the basic construction of the 
cohomology of an overconvergent isocrystal over the affine line. In Section 3, 
we deduce from it an algorithm to compute a basis of the cohomology. We give 
a proof of correctness and a detailed complexity analysis of this algorithm in 
Section 4. In Section 5, we explain how to compute the action of the Frobenius 
morphism on this basis and recover the zeta function of the curve. In Section 
6, we obtain complexity estimates for the whole algorithm and discuss practical 
results and implementations. 

Notations In all this paper, k is a finite field of odd characteristic p. We denote 
by W(k) the ring of Witt vectors with coefficients in k and by K the field of 
fractions of W(k). For all x G K, \x\ denotes the usual p-adic norm of x. 

We use the notation £ for a multi-indice (£o, ■ ■ ■ , £k) where k > is an integer. 
For instance, is the fc-fold multi-indice (0, . . . , 0). For £ and m two multi-indices 
£> m means that for alH G {0, . . . , k}, li > rrii. Moreover if £ is a multi-indice, 
we set \£\ = max{|£i|, i = 0, . . . , k}. 

We recall that an element / = J2e a tp~ °^ K[[to, ■ ■ ■ ,tk]] is called overconver- 
gent if there exists rjo > 1 such that lim a^jf' = 0. The sub-ring of -ftT[[i , • • ■ , tk]] 
consisting of overconvergent elements is denoted by K [to, ■ ■ ■ , ifc]^ and is called 
the weak completion of K[to, ■ ■ ■ , tk]- 

2 Basic definitions 

In order to fix the notations, we first recall some basic facts about Monsky- 
Washnitzer cohomology with compact support. In the same way as the theory 
without support, the Monsky-Washnitzcr cohomology with compact support as- 
sociates to a smooth affine curve Ck of genus g over the finite field k a graded 
.fT-vector space of finite dimension denoted by {H l MWc {Ck/ '-?0)ie{o,i,2}- There 



exists a trace formula in this theory which can be used to recover the zeta func- 
tion of Cfc by computing the action of the Frobcnius morphism over the cohomol- 
ogy groups. We remark that as we are dealing with curves, only H\f W c {Ck/ K) 
is non trivial. Moreover, we will use the property of stability of this cohomology 
theory by finite etale descent to do all our computations over the affinc line. This 
entails working with non-trivial coefficients which are overconvergent modules 
with connection. 



2.1 The geometric setting 



In the following, we focus on the case of hyperelliptic curves which constitute 
the simplest family of curves with arbitrary genus. Let A: be a finite field of odd 
characteristic. Let C'k be the affine model of a smooth genus g hyperelliptic curve 



over k given by an equation Y 2 — Yii=i (X — \i) where A« G k. Let itu '■ Ck — > Ajf. 
be the projection along the T-axis. If we denote by Uk the etale locus of 7Tfc and 
by 14 its image, we have a diagram 




(1) 



where the horizontal maps are open immersions and where irk is finite etale over 
Vfc- We let Ak and Bk be the coordinate rings of Uk and Vk ■ By [Elk73], Theorem 
6, we can lift diagram (1) to a diagram 



C- 



(2) 



of smooth IT(fc)-schemes where the horizontal maps are open immersions and 7r 
is finite etale over V. Let A and B be the coordinate rings of U and V respectively. 
Let Ak = {Ai, . . . , A 2ff +i, oo} be the complement of Vk(k) in P^(fc). We can sup- 
pose that B = W(k){t, (t— Ai) -1 , . . . , (t— A 2g +i)~ 1 ] where t is an indeterminate 
and where Ai G W(k) lifts Ai for i = 1, . . . , 2g + 1. Let A = {Ai, . . . , A 29 +i, oo}, 
Ak = A ®w(k) K and Bk = B ®w(k) K. By finite etale descent (cf Corollary 
2.6.6 of [Tsu99]) we have H x MWc (JJ k IK) = H^^V^A^). In the following, 
we always consider A K with its B K -modu\e structure provided by 7r. 

There is a Gauss-Manin connection on A K and the computation of a basis of 
the cohomology of a curve boils down to the computation of horizontal sections 
for this connection. In the remaining, if t is an affine parameter, we will use the 
notation (t — oo) = t -1 to indicate a local parameter at the infinity. 



2.2 The space B c 

In this section, we give a definition of the Monsky-Washnitzer cohomology with 
compact support over a Zariski open subset of the affine line. Note that in this 
situation this theory coincides with the so-called dual theory of Dwork [Dwo90] . 
Let B, A as before. 

Definition 1. For A G rational, let 

R\ — { ae(t - \) e \a e G K, Vr/ < 1, \at\rf -^ +00 7 and 

3?7o > 1, \a e \Va l ->-<» 0}, 

be the ring of power series converging on a subset t/q 1 < \t — A| < 1 with rj > 1. 
The Robba ring associated to B is the ring 

K B = ®aR\- 

We recall that the weak completion of Bk = K{t, (t— Ai) -1 , . . . , (i— A 2 g+i)~ 1 ] 

is 

B k = { £ a ^ {t - X ^ t% ■■■(*- A 2 9 +ir' 29+1 |o/ G ^ryo > 1, 
l^ho"' -^IIHoo 0}. 

The space B c of analytic functions with compact support is by definition the 
quotient of IZb by the image of a certain map from B^ K into lis that we describe 
in the following. For A G A, let 

<^ A : B\ - i? A (3) 

be the injective map which sends &x £ i?]^ to the element b\ G i? A which is the 
local development of bx at A. 

Let id ■ B K — ► 7^s, be defined as i— > Ae A^A(&fc)- Obviously i_o is an 
injection and by definition the space B c is the quotient of IZb by the image of 
Id- As a consequence, we obtain the short exact sequence of if- vector spaces 

^B^-^Kb-^Bc -0, (4) 

where p c is the canonical projection. 

Actually, the space B c comes with a natural structure of B^-module that we 
describe now. To define it, we let 

R l = {^a n (t-\f\ at , G K, 3n > 1, \a_ e \r] e -^ +oc 0}, 

and 

R l = { J2 a ^ ~ X ^\ ae e K > 3r lo > 1. \ a -e\Va ^+oo 0}. 
e<o 

And we put the 



Definition 2. Let Aq = A\{oo}. The principal part at A E Aq is the function 
defined by 

Pr A : R x - R{, 
Pr jg^i - A)') = 5>/(t - A) £ . 

TTie principal part at oo is £/ie function defined by 

Pfoo . -Roc ► Rooi 

We also define the analytic part at any A E A as the identity minus the principal 
part at A. 

For all b c E B c , by the Mittag-Lefler theorem, there exists a unique element 
<j{b c ) of TZb, such that p c (cr(b c )) — b c and for all X E A, Pr\{a{b c )) = 0. In this 
way, we have defined a map a from B c to TZb and it is immediately verified that 
g is a section of p c in the exact sequence (4). We now identify B c with its image 
by a so that we can write 

B c = (B\^ooR\,c © R 
where we denote for A E rational 

Rx.c = {Y, a dt - A)V £K,V V < 1, M?/ ^ +oc 0}, 

and 

i?A, c - {J2a e (t - XY\a e EK,V V < 1, \a t \rf ^ +oc 0}. 

It is important for the following to remark that a o p c is given locally as the 
identity minus the local expansion of the sum of all the principal parts. 
The action of B^ K over B c is given by 

f-9 = Pc{iD(f)-o-{g)) 

where / E B^ K , g E B c and . is the product in TZb- 

2.3 The space M c 

The computation of the space H\j W JJJk/ K) boils down to the computation 
of the de Rham module of analytic forms with compact support. Applying the 
finite etale descent theorem [Tsu99, Cor. 2. 6. 6], this space of analytic functions 
is 

M c — A^ K (g> B t B c . 



For A e A , let M Ct x = A^ K ® s t R\,c and let M CiOC = A' K <g> B t -Roo,c- We have, 

M c = 0M c , A . 

An element of M C; a can be written as 

oo 

j=0,l £=0 

with bj e eK and with &°° = 0. We keep the convention of notation (t — oo) = 
t -1 . The finite Sj^-module M c comes with a connection given by 

V c : M c -> M c ®„ t , 

m®g c ^ V G m(to) <8> ffc + m ® ^9c-dt, 

where Vgm is the natural Gauss-Manin connection on A^ K . In our case this 
natural connection is given by the partial derivative with respect to Y acting 
on the Bj^-module A^ K . By definition, the space H\j W C (V, w^A^) is the kernel 

of V c . As a consequence to compute a basis of H\j Wc (y, n*A' K ) we have to 
compute a basis of the space of solutions of the differential equation 

V c (m c ) = (5) 

defined over M c . Note that by classical results (see for example [LS95]) the 
dimension of this space is equal to 2g plus the number of points we took off the 
affine line, which in our case gives Ag + 1. 

3 An algorithm to compute a basis of an overconvergent 
isocrystal 

We show in this section that the solutions of Equation (5) can be computed 
by solving a linear system over K. First, we explain how the action of a linear 
endomorphism of M c with rational coefficients can be computed up to a certain 
analytic precision by solving a system of linear equations. From this, we deduce 
two methods, the global method given in Section 3.2 and the local method pre- 
sented in Section 3.3, for the computation of a basis of solutions of Equation (5). 
The global method is slow but useful to compute the first analytic development 
of the solutions required for the quicker local method. 

3.1 Action of a rational endomorphism of M c 

Let Mat be a square matrix of dimension 2 with coefficients in the field of rational 
functions in the indeterminate t over K . If we set m c = m® g c 6 M c = M ® B c 



and using the basis {1,5^} of M c over B c to write m c as a column vector of 
dimension 2 with coefficients in B c , our aim is to compute 

Mat.m c = (Mat.m) <8> g c - 

We rewrite Mat as the quotient of a matrix with polynomial coefficients by a 
polynomial with the lowest possible degree denoted by A. We suppose that the 
roots of A are contained in A. Let o\ be the order of the roots of A at the point 
A e A . Let m = m&x\ e A (o\). For the rest of the section, we denote by M v 
the transpose of a matrix M. 

We explain how we associate vectors with coefficients in K to elements of 
M c . 

Definition 3. Let n > be a positive integer. Let m c <E M c that we can write 
as (m Al , . . . , m X2g+1 , TOoo) with 



j =0,1 1=0 

where b^\ £ W{k) and b°° = 0, following our conventions. For all A e A, we let 



V m a ,n — (Vo' ^0,1' • • • ' Vn> ^1,0' ' ' ' ' ^l,n) 



and denote by v mcy „ the vector 

Vm c ,n — {bofi, &o,\) ■ • ■ i Vmo+n' 

which can be written by blocks as 



h Xl h°° i 

"l,m +n> ' ' ' ' u ~l,m +nl 



Ai.V 



/ Ai , 

v m c ,n — \ v m c 



mo+iii ' 



? .oo>v \\ 
1 u m c ,mo+n/ 



(6) 

(7) 
(8) 



Definition 4. Let n > be an integer. Let h be a rational function in the 
indeterminate t with coefficients in K. Let Sh,x be the Laurent series obtained 
by expending h around A G A. We write 

S h ,x = a Q (t - A)- m ° + 01 (t - A)- m ° +1 + . . . + a rno+n (t - A)" + . . . 

and define M^ x n a matrix of size (n + 1, m + n + 1), by 



( a mo ... ao ... \ 
a„ lo+ i ... ax a ... 



/ o 




\a r n +n Oq J 





. ... ^ 

. 8i flo ... 



ifX ^ oo, 



if A = oo. 



\ a„ lo+ „_i a j 

We let M^ n be the block matrix obtained by replacing in Mat each of its 
coefficient equal to a rational function h by M^ x n . 



Definition 5. We keep the same notations as in the preceding definition. Let 
A' 7^ A G K . Let h be a rational function in the indeterminate t. Write 

S h ,x = a (t - A)-" l ° + ai(t - A)- m ° +1 + . . . + a mo+n (t - \) n + . . . 

For r > an integer, let r)Q,r)\,... ,rf n be the n + 1 first coefficients of the 
expansion of Y^e=o a ^ ~ A)~" l ° +£ around A' (it is a power series). Let M h ^ n 
be the matrix of dimension (n + 1, m Q + n + 1) gi-uen fry 



^~i= -i i ^=°°- 



Let M A ^ A be the block matrix obtained by replacing in Mat each of its coefficient 
equal to a rational function h by M h \ . 

We remark that in this definition, if A' = oo, then the first line of M^\ n is null, 
which corresponds to our convention to set the constant term at the infinity to 
zero. This convention implies that the m t h column of n is zero if A = oo. 

Definition 6. Still keeping the same notations, for n > an integer, let M n be 
the matrix of dimension (2(1 + n)(2g + 2), 2(m + n + l)(2g + 2)) given by 









M~ M \ 

oo,n 
















■ M+ ; „ ) 



We have 

Lemma 1. Let Mat be defined as above. Let m c = m ® g c G M c , then 

VMat.m®g c ,n—m — M n .V m <3g c ,m 

where v is defined by (8). 

Proof. We saw in the last section that the action of an overconvergent function 
h G B' K on g c G B c is given by multiplying io(h) by a(g c ) in the Robba ring 
TZb and then apply a o p c . This last operation can be done by subtracting the 
sum of all the principal parts in all the components of o~{B c ). 

Now, the matrix M^ n is such that for any m c G M c its product with the 
local component vector v^ n gives the first n + 1 terms of the analytic parts of 
the local product Mat.m\. In the same manner, the matrix M x ~£ nio+1 is such 
that its product with the local component vector w^ v „ gives the first n+ 1 terms 
of the expansion locally around A' of the opposite of the principal part in A of 
the local product Mat.m\. 



3.2 Global method 



We can use the notations introduced in Section 3.1 to rewrite the differential 
equation (5). Here, we let Mat be the matrix Mat\j GM of the Gauss-Manin 
connection for the basis {1, Y} of M c as a Sj^-module, so that we have m = 1. 

Definition 7. Let n be a positive integer. Let D n be the matrix with dimension 
(2(1 + n)(2g + 2), 2(n + 2)(2g + 2)) given by 



D = 



( D\ ., \ 

D X2 , n ... 

V o I)^.,J 



where D\ un is the diagonal block matrix with dimension (2(n + l),2(n + 2)) such 
that the diagonal blocks are given by the (n + 1, n + 2) -matrices 



D \i,n = 



( 1 ... 
2 



\ 



V o 



n + 1 .../ 



cmd w/iere Doo.n is the block diagonal (2(n + l),2(n + 2)) matrix the blocks of 
which are all equal to the (n + 1, n + 2) matrix 



/ o 



0-10 ... 

0-20 









\ -(n-1) .../ 



We have the 



Proposition 1. Let n > 1 be an integer. Let m c G M c be a solution of Equation 
(5). Then the vector v„ lc ,„ is a solution of the linear system (M„ + D n ).v = 0. 

Proof. By definition of V c , this is a consequence of Lemma 1 and of the fact 

that the matrix D n is such that v mix _o_ n _ 1 = D n v m ^ g n . 

^ dt y c ' 



3.3 Local method 

Let X G A. To simplify the exposition, we suppose in the following that A ^ oo. 
The case A = oo can be treated exactly in the same way. In the following, 
K((t — A)) denotes the field of Laurent series in the indeterminate (t — A). 

The local method rests on the remark that Equation (5) locally at A can be 
regarded as a classical inhomogeneous differential equation if we know enough 
terms of the global solution. This is the content of 



Proposition 2. Let m c = (m\ 1 , . . . , m\ 2g+1 , m^) G H\j Wc {V, -k*A^ k ). For X e 
A, let Vgm.a be the action of the Gauss-Manin connection on the local compo- 
nent in A of an element of M c . For all A G A, there exists a unique u = u a + Yui, 
with (uo,ui) G (K((t — A))) 2 such that m\ is a solution of a non-homogeneous 
differential equation: 

d 

—m x + Vgm,ato a = u. (9) 

Proof. Let m c = (m\ 1 , . . . , m\ 2g+1 , m^) G Hlf Wc (V, w*A^ K ). By definition, it 
satisfies the equation 

V c (m c ) = 0. 

By rewriting each m\, A G A, as 

m x = £ y J g x 



i=0,l 



where g£ G R\, c we have 



V c (m c ) = ( £ Vgm(^) ® ,g A 1 + £ r 2 ® J^ A \ . . . , 

i=0,l i=0,l 



9i 

i=0,l i=0,l 



Let G sj^ be such that 



V c (m c ) = I £ /i-^ ® S* 1 + £^® ■ ■ • , 



Set 



=0.1 i=0,l 



£=0,1 i=0,l 



E^®^(E p ^(0v(.f«).g 4 A ')) 

i=0,l \A'eA / 



where 0a is defined by (3) and Pr A is given by Definition 2. We have 

d 

— m x - VGM,\m\ = u, 
at 

by definition of p c . This concludes the proof of the proposition. 

Let m c = (mx 1 , ■ ■ ■ , m \ 2g +i > m oo ) G HIjw^V^A^). For A G A, write 

m x = £y'® <? A , 

4=0,1 



where € R\. c - Let <L> be the morphism of if -vector spaces defined by <P : 

Hi Mmc (V,n^ K )^(K[Y})^, 

mx=J2 Yt ®9>^(J2 Y l ®g^(0),...,J2 Y% ® 9i 29+1 (0), 0). 

i=0,l i=0,l i=0,l 

Corollary 1. The map <P : H^^n^A^) ^> (K[Y}) 29+2 is injective. 

Proof. Let m c = (m Al , . . . , m A2s+1 , to^) G ^m W;C (V, ■k*A ] k ). By Proposition 2, 
for all A e yl, m A satisfies a degree 1 local inhomogeneous differential equation 
and there is a unique solution of this equation with constant term given by 
<P(m c ). 

We have to check that the solution that we obtain satisfies the condition that 
the constant term at the infinity point is zero. 

Definition 8. Let n > be an integer. Let Rel n be the sub-K-vector space of 
j^2(2g+2)(n+2) g enera t e( [ oy the vectors 

(ei, . . ■ ,e2(2 9 +2)(n+2)) V 

such that the are zero for 

i e {2((2< ? + l)(n + 2) + l+j(n + 2)|j e {0,1}}. 
The linear system we associated to the equation 

V c (m c ) = 

admits trivial solutions that we have to put aside. These solutions come from 
the fact that the derivation with respect to t increases the degree locally at the 
point at infinity. For instance, when truncating above the degree n > 0, then 
(0, . . . , 0, 1 (g> t~ n ) corresponds always to a solution of the linear system even 
though in general it is not a solution of the equation V c (m c ) = 0. 

Definition 9. Let n > be an integer. Let Triv n be the sub-K-vector-space of 
if2(2 3 +2)(ri+2) spanned by the vectors 

(ei, . . ■ ,e 2 (2 9 +2)(n+2)) V 

such that the are zero, except for 

i e {2(2.g + l)(n + 2) + j(n + 3 - s)\j G {1, 2}, s G {1, 2}}. 

In order to get rid of the terms of Triv n , we simply truncate the solutions 
and keep only the resulting independent vectors with coefficients in K. It would 
be enough to truncate only the local part at infinity, but we truncate globally 
for the sake of clarity. Note also that by Corollary 1, a solution with all local 
constant terms equal to zero is globally equal to zero, so that we don't drop any 
valid solution by truncating. 



Definition 10. If n > 2 and if v — (v\, . . . , v 2 ( 2 g+ 2 )( n +2)) « s an element of 

K 2(2g+2)(n+2) w£ M 

Tronc(v,n) = (vi, . . . ,v n -2,v n+ i, . . . , v 2n -2, v 2n+ i, ■ ■ ■ ,v 2{2g+2)(n+2) _ 2 ) y . 
In particular, we have 



This way, we have 

Proposition 3. Let n > be an integer. Let v be a solution of the linear system 

{M n+2 + D n+2 )v = 

in Rel n - Then there exists a unique element m c G ®^M Cj a <8> K[[t — A]] solution 
of the Equation (5) such that 



where we have generalized in an evident manner the definition v mM to ®aM c .\® 
K[[t — A]]. More precisely, there exists VTriv 6 Triv n+2 such that v m , n+2 = 

V + VTriv ■ 

Proof. From Corollary 1, a solution is uniquely determined by its first terms. 

An approximation of a formal solution of a differential equation can be com- 
puted by one or the other of the above explained methods, but nothing has been 
said, up to now, about the convergence of the solutions that we approximate. 
We have yet to prove that a formal solution of the differential equation is in 
M c . This can be done by finding some conditions for the convergence on the 
coefficients of a formal solution. 

3.4 Explicit upper bound of the coefficients of a basis of the 
cohomology 

We present an upper bound on the valuation of the coefficients of a basis of 
the space Hmw.c(V) — ^Mifcf^i 1 '^)' this section, v p is the usual p-adic 
valuation on K . 

Proposition 4. Let m c = (m\ 1 , . . . , , m\ 2!i+1 , m^) be an element of H\j W C (U, tt^A^ k ). 

Let u = u° + v}.Y , with for j = 0, 1, u? = X^fco u e^ ~ ■ Suppose that m\ is 
a solution of the equation 



Tronc(v ma . n , 




'm c ,n~2- 



v mc ,n = Tronc(v, n) 



—m x + V GM ,\m x = u, 



then there exists a real number B > such that for j 



0, 1 and all I 



Vp{u 3 f) > B. 



Proof. Let m c — (m\ 1 , . . . , ni\ 2!i+1 , TOqo 

oo 

.7=0,1 £=0 

with b x .\ G if and with &°° = (still keeping the convention t — oo = t -1 ). Let 
A G A Writing the Gauss-Manin connection as a quotient: 



Vgm = 



A(ty 



where G(t) is a linear transformation which can be written in the basis {1, Y} as 
a (2, 2)-matrix with coefficients in VF(fc)[i] and A{t) G W(A;)[i] has simple roots. 
By Proposition 2, and because each A' G Aq is at most a simple root of A, the 
vector m x satisfies the equation 

d a „ a 
— m +V G M,\m =u, 

at 

with 



where c A ' = b$' + Yb$' . 
We have for all A, A' G A , 



w p (A - A') = 



by hypothesis. As a consequence, if one writes u = u° + Yu 1 , with for j = 0, 1, 
v? =E«j(t- A)', then 

^)>mm(, p (^')), (10) 

where we extend u p on vectors with coefficients in W(k) by taking the minimum 
of the valuation of the components. 

Equation (10) follows the remark that expanding in a neighbourhood of A, 
we find 

('-^r^-E TvzW *-^- 

As a consequence, we can take 



(A' - XY 



in the statement of the theorem. 
We have also 



Theorem 1. Letm c = (m\ 1 , . . . ,m\ 2g+1 ,m 00 ) be an element of H] v[w C (V, ir*A' K ) 
with 

oo 

m *«= E ^'E^(*- A ^ 

3=0,1 e=o 

with bj' e £ W(k) and with o°° = 0. Let \ £ A. Then there exist a £ R and f3 £ M 

t> p (&^)>-(alog p (*)+/J), (11) 
/or aZi j and a!/ Moreover, a and [3 can be made explicit (see the Remark 1). 

Proof. We prove that the hypothesis of the Theorem 2.3.3 of [Cha07] are veri- 
fied. By a direct computation, we find that the local exponents of Maty GM are in 
{0, — so that they are prepared and the hypothesis 1 is satisfied. The hypoth- 
esis 4 is already contained in our statement. The hypothesis 2 can be checked by 
applying the classical Dwork's trick (see for example [Kat73], Proposition 3.1). 
In order to be able to apply this result, it is necessary to provide the sj^-module 
{■k*A^ k , Vgm) with a Frobenius morphism. Fix a Frobenius morphism F on A^ K 
lifting the p th power on A^ such that F sends X over X p and acting on K as 
the Frobenius automorphism. Then F induces a Frobenius morphism Fqm over 
(n^A^ , Vgm) and the Dwork's trick applies. In the same manner, we provide the 
dual module with connection (tt^A^, V v ) with the Frobenius morphism Fq^. 
The hypothesis 3 is true from Proposition 4, and the hypothesis 5 is easily ver- 
ified in our case. The expression of B given in the proof of the Proposition 4 
gives the theorem. 

The following proposition proves the correctness of the algorithm described 
in Section 4.1. Taking back the notation of the Section 3, 

Proposition 5. Let v be a solution of the linear system (M n + D n )v = be- 
longing to Rel n and let m £ ®aM c ,\ ® K[[t — A]] be the unique solution of the 
Equation (5) such that v m ^ n — Tronc(v,n). Then m is an element of M c . 

Proof. From the Theorem 1, the coefficients of the local part m\ of m satisfy 
the logarithmic bounds of Equation (11) for all A £ A. In particular, this implies 
that the m\ are all in R\. c . 

Remark 1. One can obtain explicit formulas for the constants a and (3 of the 
theorem. The proof of Theorem 2.3.3 (inspired from methods of Alan Lauder) 
in [Cha07] gives the expressions 

a = 2a' + 2 

and 

/3 = 2/3' + 21og p (3)-£ 

the constants a' and [3' are computed in [Lau06, Note 4.11], with the following 
expressions: 

a , = 2(l + log_(2))+3 



and 

= a'log p (5)+/3 2 + /? 3 

where 

/3 2 = 2(l + log p (2)) + 3 

and 

03 = 4( ^~i + 41og p (3) + 21o §p( 2 ))- 

Remark 2. Let us consider the term B. Recall that we saw in the proof of Propo- 
sition 4 that we have (we keep the notations of the proof) 

Ba SS(*(M)- (12) 

where c A is formed by the constant terms of the element of the cohomology group 
we consider so that we can suppose that its p-adic valuation is zero. Now since 
the matrix of the connection is 



Mat v G M = 




the only non-zero term of ^^J) is 1/2 and we can suppose B = 0. 

4 Description of the algorithm and complexity analysis 

In this section, we present an algorithm, based on the results of Section 3, to 
compute a basis of the Monsky-Washnitzer cohomology with compact support 
of an hypcrclliptic curve. The algorithm takes as input: 

— a finite field of odd characteristic k, 

— a genus g hyperelliptic curve Ck over k, given by an equation Y 2 = Ilif^ 1 
Aj), with Aj S k distinct, 

— two positive integers Pi and P 2 , 

and returns a basis of the space H\j Wc (V, 7r* A^ K ) computed with analytic pre- 
cision Pi and p-adic precision P 2 . 

4.1 An algorithm for the computation of a basis of the cohomology 
of Monsky-Washnitzer of a curve 



Denote by Ck an affine plane model of Ck- We denote by t the coordinate on 



The set up For i = 1, . . . , 2g + 1, let A 4 G W{k) lifting \. Let C K be the 
hyperelliptic curve over K given by the equation 

2g+i 

F 2 = QP0 with Q{X) = ]J (X - Aj). 

1=1 

Denote by oo the point an infinity oi Ck- Keeping the notations of Section 
3, we let A = {Ai, . . . , A2 S +i, oo} and Ao — A \ {oo}. Let V be the subvariety of 
Pjf whose geometric point set is the complementary of A, let £/ = 7r _1 (V r ) where 
7r is the projection along the F-axis. Let Uk and Vk be respectively U and V 
modulo p. 

The algorithm goes through the following 3 steps. 

Step 1: computation of the connection matrix The Gauss-Manin connec- 
tion matrix on A' K is easily described. We fix from now on the basis {1, Y} of the 
-Bjf -module A^ K . The matrix is given by the derivation with respect to Y in A^ K 
seen as a Sj^-module. Since in fl\ we have dY — ^©Y.dl, the Gauss-Manin 
connection matrix over A^ K associated to the projection 7r : U — > V is: 



Mat VaM = 




Step 2: Computation of the matrix Af^ (see Section 3.1) Here n is the 
analytic precision of the computation which will be fixed later, depending on 
whether we use the local or the global method. 

In order to obtain the matrix M n , we have to compute for A £ A the local 
development in A of Q'(t)/Q(t) that we denote by S\7.\(t) and for each A, A' G A 
the local development in A' of the principal part of Sy.\(t). 

The development of Q'(t) in A is nothing but the evaluation Q'(t + A) 
which can be done using Horner's method or the Paterson-Stockmeyer algo- 
rithm [PS73]. The computation of a development of 1/Q(t) in A can be done 

by 

— computing a local development SQ,\(t) of Q{t) in A using Horner's method; 

- inverting SQ t \{t) using a Newton iteration. 

The case of A = oo can be treated in a similar manner. 

Then we have to compute the product of the local developments in A of Q'(t) 
and 1/Q(t) to obtain S/\ t \(i). 

As S-y,\{t) can only have simple poles, the computation of a local develop- 
ment of the principal part of S\/ t \(t) in A' boils down to the computation of an 
inverse locally at zero of a term of the form t + A — A' which can be done by a 
Newton iteration. 



Step 3: solving the equation V c (m c ) = The next step is to solve the 
equation V c (m c ) = on M c . We have to compute modulo (t — A) Pl locally at 
A £ A and modulo p p ' 2 for p-adic precision. In section 3, we have given two ways 
to obtain a basis of solutions of the differential equation V c (m c ) = 0. We use 
the local method after determining the first terms of a basis thanks to the global 
method. It should remarked that due to the special form of the connection 
associated to a hyperelliptic curve, it is possible in the case we consider to 
compute directly these terms. Still we present the global method for its general 
interest. 

Global method We first use the global method to compute a basis of solutions 
at small fixed analytic precision. For this, we have to compute the matrices Mi 
and D\ and solve the linear system 

(Mi +D{)v = 0, 

over K. Then it is necessary to put aside the trivial solutions belonging to 
Trivi and project the remaining ones onto Rel\. To conclude, we truncate the 
remaining vectors as explained in Proposition 9. 

Local method Denote by m\, . . . , m^ 9+1 £ M c the elements of a basis of the space 
H\ IW c (V,tt*A^ k ) computed up to analytic precision 1 with the global method. 
For j = 1, . . . , 4g + 1, we write, = (m^ , . . . , m{ 2g+1 , m^). 

For a fixed A £ A, we explain how to lift m? x , for j = 1, . . . , Ag + 1, using the 
local differential equation provided by Proposition 2. For this, we have to com- 
pute the constant term of Equation (9). The general expression of this coefficient 
is 

^ = E y * ® <M E Prx,(fa(fi).gfo 
j=o,i \\>eA 

where fi depends only on the Gauss-Manin connection and for A £ A, £ R\. c 
is such that 

'"a E Y *®9lr 

i=0,l 

As fi has only simple poles, we can write 

^ ( E p r*(Mfi)-&j) = E MPrx'(^(fi)))4,M. 

\\'£A J A'e/1 

We remark that gj j(0) can be computed with the global method. As a conse- 
quence, once we have computed for a fixed A £ A, r\.\> = <p\{Pr\i{<p\i(fi))), 
it is possible to recover uj by computing a linear combination of the v\ t x' with 
coefficient in K. 

Equation (9) can be rewritten as an equation of the form 



Z 1 = AZ + B, 



where A (rcsp. B) is a (2, 2)-matrix (resp. (2, l)-matrix) with coefficients in 
if [[i]]. It is possible to compute an approximation of the unique solution Z of 
this equation satisfying Z(0) — v with precision Pi using an asymptotically fast 
algorithm such as given by Theorem 2 of [BCO+07]. The initial value v comes 
from the global method. 

4.2 Complexity analysis 

In order to assess the complexity of our algorithm we use the computational 
model of a Random Access Machine [Pap94]. In this paper, we use the soft-0 
notation and choose to ignore logarithmic terms in the complexity functions. 
For instance, using the algorithm of Schonhage-Strassen, the multiplication of 
two n-bit length integers takes 0{n) time. We suppose that A: is a finite field of 
cardinality q and characteristic p. Let x £ W(k), we say that we have computed 
x up to precision P 2 if we have computed a representative of x mod p p ' 2 . In 
the following we assume the sparse modulus representation which is explained 
in [CFA+06, pp.239]. Let x,y £ W(k)/p P2 W(k), under this assumption one can 
compute the product xy with precision P 2 by performing M — 0(log(<7)P 2 ) bit 
operations. The storage requirement for an element of W(k) with precision P 2 
is 0(log(g)P 2 ). 

Let h = ^2 e>0 aet e £ W(k)[[t\] with a e £ W(k). We say that we have com- 
puted h up to precision Pi if we have computed a representative of h mod t Pl . 
Using the algorithm given in [vzGG03] , the multiplication of two polynomials of 
degree Pi with coefficients in W{k) takes 0(P\) operations in W{k). As a con- 
sequence, the multiplication of two elements of IU(fc)[[i]] with precision Pi takes 
N = 0(log(<7)P 2 Pi) time. The storage requirement for an element of TU(/c)[[i]] 
with analytic precision Pi and p-adic precision P 2 is 0(log(g)PiP 2 ). 

Now, we give time and memory complexity bounds for the computation of a 
basis of the cohomology with analytic precision Pi and p-adic precision P 2 . We 
refer to Section 4.1 for the description of each step. 

Step 1: The asymptotic running time of this step is clearly negligible with 
respect to the other steps. 

Step 2: Using the local method, we only have to compute Mi which makes the 
running time of this step also negligible with respect to the other steps. 

Step 3: In this step, we use the global method to compute the first terms of 
the solutions required for the local method. 

The global method We have to inverse a matrix with coefficients in K the di- 
mension of which is in the order of g. The total cost is 0(g 3 log(<7)P 2 ) time and 
0(g 2 log(g)P 2 ) memory. 



The local method We keep the notations of Section 4.1 Step 3. First, for a fixed 
A £ A, we give the running time and memory usage for the computation of a lift 
of nij for j running in {1, ... , Ag + 1}. 

We compute r\.x> = (f>\(Pr\i {4>\i (/,))) for A' G A. In order to do this, we 
have to develop /j in A'. With our hypothesis the only non trivial /, has the 
form Q'{t)/Q(t). 

The computation of a local development of Q' in A' can be done with the 
evaluation Q'(t + A'). Using Horner's method or the Paterson-Stockmeyer algo- 
rithm [PS73], it takes O(gM) time. The computation of a local development of 
1/Q(t) in A' with a Newton iteration at the expense of 0(log(Pi)N) time. Then 
we have to compute the product of the local developments of Q' and l/Q. This 
product takes O(N) time. Taking the principal part is trivial. Then use again a 
Newton iteration to compute a development in A of a principal part of the form 
l/(t — A'). We are done for the computation of r\,\>. 

We have to repeat this operation O(g) times to obtain all the coefficients 
r\ t \i at the expense of 0(glog(g)PiP 2 ) time and 0(g log(g)PiP 2 ) memory. 

Then in order to lift m^, for j = 1, . . . , Ag + 1, we have to solve an equation 
of the form Z' = AZ + B. This is a 2 dimensional linear differential equation of 
order 1 and applying Theorem 2 of [BCO + 07], a solution of this equation with 
analytic precision Pi can be computed in O(N) time. 

Now, we have to repeat all the preceding operations for A running in A. In 
all the computational time is 0(q 2 log(g)PiP 2 ) and the memory consumption is 
0(glog{q)P 1 P 2 ) 

Proposition 6. Let Pi and P 2 be positive integers. The global time for the 
computation of a basis of Hl^ Wc (V, tt^A^ ) with analytic precision Pi and p- 

adic precision P 2 is bounded by 0(g 2 log(q)PiP 2 ). The memory consumption is 
0(g\og(q)PiP 2 ). 



4.3 An example 

In this section, we give a detailed example of computation. We consider the case 
of the elliptic curve with equation Y 2 = X a — X over F5. We lift the equation 
to Y 2 — X a + X £ Z 5 [X, Y] so that we are interested in the finite module 
M with basis {1,Y} over Q 5 [M"\ (t - l)" 1 , (t + l) -1 ] 1 . We denote as before 
yl = {oo, 0,1,-1} and consider the connection on M given by the matrix 

Mat VGM = {A(t))- 1 f° J-i)> 

where A(t) = t 3 - t. Let h(t) = l/(2A)(3t 2 - 1) be the only non-zero term of 
this matrix. Its local development in Laurent series at the elements of A are: 

- at 00: |t + t 3 + 0(t 4 ), 

- at 0: i^ 1 -t-t 3 + <3(t 4 ), 

-*.ti:k- 1 + T-fr+&*-ffi+o(n 



at 1: \t 1 §i ^t 2 - i|t 3 + 0(t 4 ). 

So that we have: 



M, 



_/0 o\ 

h,oo,i - l^o o oy ' 



M M,i= (3 A?) 

\ 8 8 2 / 

M /t-l,l = 



8 2 
11 1 



2 
11 1 

8 2 

Since /i has no pole at infinity, the matrices M^' ^ 1 are zero for A = 0, 1, —1. 
We expand \ locally 

- at oo: t, 

- at 1: 1 -t + f 2 -t 3 + 0(i 4 ), 

- at -1: -1 - t - t 2 - t 3 + 0{t 4 ), 



which gives: 



M -,oo__l AO 
M h fl .i - 2 I 1 



1/100 
2 1^-1 

1 /-l 00 



M M,i -~ 2 1-10 



We find similarly 



m h,l,l 



1/000 
2 V 1 

Af-.o --IT 100 
M,i 2^-100 

1 /-i 00 

1 

4 



M m7i=-2 -|oO 



and 



1/000 



M fc,-i,i^ 2 I 100 



1/100 
2 V -1 



i 1 A ^ 

^.o-i = -o 2 i 



fc,o,-i- 2V-3OO 



Now we obtain the final matrix 
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Its kernel is spanned by the vectors: 



- v-l = 

- v 2 = 

- v 3 = 

- v 4 = 

- v 5 = 

- v 6 = 

- v 7 = 

- v 8 = 

- v 9 = . 

- v w = (0 

- uii = (0 



1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) 
0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) 
0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) 
0. 0. 0. 1. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. OV 



_5 _91W 

4.' 80 / ' 
13 43 W 



12 ; 



"48' 



The first six vectors are trivial or non-relevant solutions since either their 
truncature is zero either setting their constant term at the infinity to zero makes 
them null, so that we find that Hj jiWc (V, ir^A^) has dimension 5. Since our 
curve is of genus 1 and since we took off three points out of it, this agrees with 
the theoretical dimension. 



5 The action of Frobenius on the basis 

We keep in this section the notations already introduced, and suppose further- 
more that the roots A of Q are Teichmiiller elements [CFA+06]. We explain how 
to compute a lifting of the Frobenius morphism to M c and obtain its action on 
a basis of H\j V C (U, tt^A^). Of course all the computations are made with finite 
analytic and p-adic precisions and the key point here is the determination of 
sufficient precisions in order to guarantee the correctness of the final result. 



5.1 Lifting the Probenius morphism 

Following Kedlaya [KedOl], we define a lift F of the p-th Frobenius on A' K by 
setting F(X) = X p and 

where a is the canonical Witt vectors Frobenius. The expansion of the square 
root can be computed using a Newton iteration (see [KedOl]). We then have the 

Proposition 7. For all positive integer n the element F(Y) mod p n can be 
written as Y times a rational fraction in X such that its numerator and denom- 
inator are relatively primes, its denominator is Q(X) d with d < pn — and 
its pole order at the infinity (2g + l)[p/2]. 

Proof. The only non obvious fact from the expression of the Newton iteration is 
the bound for d. Since we have 

Fnr) = Y* (i i Q°( xp )-q(xt \ 1/2 



we can write 



where E(X) = l/p.(Q a (XP) - Q(X)p) and E having integral coefficients. In 
particular, since the binomial coefficients are p-adic integers we have 

with 

p-l 

and we are done. 

We obtain an approximation F n of a a- linear endomorphism of A^ K lifting the 
Frobenius endomorphism on Aj~ up to p-adic precision n by setting F n (X) = X' p 
and F n (Y) equal to the truncated development of the rational fraction obtained 
with Proposition 7. 



5.2 Twisted local equation 

In the relative situation that we consider, the Frobenius lifting decomposes as 
a Frobenius lift on B^, which sends t to t p that we denote Fb (the 'local' 
Frobenius), and a Frobenius on the Sj^-module A' K (making it an F-isocrystal). 
We first consider the computation of the action of Fb ■ 



A direct way to compute the action of Fb on a element m c G M c is to make 
the evaluation t h- > t p in all the local developments at A G A, apply a on the 
coefficients and develop the result to recover a series in (t — A) . 

The following remark leads to a more efficient method. Let m c G M c repre- 
senting an element of a basis of Hj /[Wc (U, n^A^ ). We recall that, by Proposition 
2, a local component m A of m c in A G yl satisfies a non- homogeneous differential 
equation 

Q 

— m\ - Mv,Am A = u. (13) 
From this equation, we deduce the 

Proposition 8. For X G A, the image of m\ G by the local Frobenius 
Fsimx) satisfies a local differential equation 

(P - <7(A))^F B (m A ) -pt^FBdt - X)M ViX )F B (m x ) 

= pt?- 1 (tP - a(\))F B (u). 

Proposition 8 yields a very efficient algorithm to compute the action of 
Fflfrai) given its first terms. Note that here the assumption that A is a Te- 
ichmuller lifting is crucial. 



5.3 Formulas for the theoretical precision 

In this paragraph, we explain how to apply the isocrystal Frobenius. Here arises 
a technical difficulty. Since this computation consists in replacing Y by F(Y), 
where F(Y) is Y times an element of B^ K , this operation boils down to the 
computation of the action of an overconvergent function in B^ K (with infinite 
negative powers) on an element of M c (with infinite positive powers). In order 
to perform this to a certain precision, we take advantage of the sharp control we 
have on the size of the coefficients of both terms. The following theorem gives 
expressions for sufficient p-adic and analytic precisions. 

Theorem 2. Let m c G M c be an element of H\j W C (V, 7rA^). Write m c = 
(m Al , . . . ,mx 2g+1 ,oo) with 

OO 

.7=0,1 e=o 

where b^\ G K and b°° = 0. Let a and (3 be integers such that 

v P (bj,e) > -(alog p l + f3) 
for all j,£ and A G A. Then if we set 

n = max(2alog p (t^t) ,2(a + /3 + P 2 )) 



the image by F n of m c truncated at the degree Pi is equal to the image of m c by 
F modulo p Pl 

Proof. If we write 

F{Y)= E fo{X)Y\ 
j=o,i 

the image by F of m c is given by the products 

^(tM^XMt-A))*, 

that is to say 

fi(t)- a (bj,e)(t P ~ a Wy 

for all £ and j. Now for n positive, we have F n (Y) = X^=o 1 fn.ji^Y^ with p n 
dividing fj(t) — f n j(t), and f n j(t) has its degree bounded by pn — 2^ 

Here we have to use the following easy lemma 
Lemma 2. Let X eW(t) be a Teichmiiller element. Let 

oo 

with be € K be such that there exist integers a and (3 with 

v P (b e ) > -(alog p £ + [3) 

for all £ £ N. If we write 

F(S) = f>(6/)(t* - a(X)Y = f>(t \f 

1=0 1=0 

then we have for all I 6 N 

v p (ae) > -(alogpl + [3). 

In order to prove Theorem 2 using the preceding lemma, we have to find n 
and Pi such that for all £ > Pi we have v p ((fj(t) — fn,t(t))-<r(bj ti fj > P 2 . 
We have to solve the inequation 

a\og p (pn - ^—^) + f3 - n < -P 2 . (15) 

If we set [3' = a + [3 + P 2 , it is sufficient to solve 



n - a\og p n - /?' > 0. (16) 
Now if we have n/2 > j3' and 

n/2-alog p n>0 (17) 

we are done. Equation (17) is true for n > — i^prW(— 1, — ^) where W(— 1, .) is 
the real branch defined on the interval [— 1/e, 0] of the classical Lambert function. 
In particular, given that 

-W(-l,-l/t) < ln(t) 

for all t of the interval, the proposition is true. We refer to [CGH+96] for a 
detailed survey on the Lambert function. 



5.4 Recovering the zeta function 

From the action of the Frobenius morphism on a basis of H]^ IWc (V, ir^A^), it is 
easy to recover the zeta function of the curve Ck thanks to the Lefschetz trace 
formula (see [ELS93, Cor. 6. 4]). In our case this formula reads 

z(c k ,t)- det(1 "^ 



where (\>\ is the representation of the Frobenius morphism acting on H\ {Wc {C/K). 

By the preceding results of this section, we can compute the matrix Mp of 
the action of the p-power Frobenius on a basis of the space H\j Wc (y, tt^A^ ). 

We explain how to recover the Zeta function of our initial curve from it. 
We can embed the space H X MW c (Ck/K) in H X MW c (Uk/ ' K) and thanks to the 
localization exact sequence in Monsky-Washnitzer cohomology with compact 
support (deriving from the one in rigid cohomology, see [Tsu99]) 

- H° MW J(C k \ U k )/K) - Hh WiC (U k /K) - Hh WiC (C k /K) - 

give a description of a supplement. Namely 

{(1<8>1,0,...,0),...,(0,..., 10 1,0)} 

in @\eA Q {A^ K ® B \ R\, c ) ffi {A^ K ® B \ Roo, c ) is a basis of such a supplement (we 

identify here H l MWc {U k /K) and H^^Vk/K, tt*^ )) that we call W. Let M F 
denote the matrix of the action of the p-ih Frobenius on a basis of a supplement 
of W. Let n be the absolute degree of k the base field of Ck- By computing the 
product 

M E = M F M°...Mf, 



we recover the matrix of the total Frobenius. 



5.5 Description of the algorithm and complexity analysis 

The computation of the Frobenius representation on Hm Wc (V, 7T* A' K ) can be 
done in three steps. 

Step 1: Lift of the Frobenius morphism Write 

Q'(XP) -Q(X)p \ 1/2 

Q(xy ) ' 

and for each A e A, compute a local analytic development up to precision P\ of 
the square root using a Newton iteration as in [KcdOl]. 

The dominant step of this operation is the Newton iteration which takes 
0(\og(q)PiP 2 ) time and has to be repeated 0(g) times for the total cost of 
d(g\og(q)P 1 P 2 ). 



F(Y) = YQ(X) 



(p-l)/2 



Step 2: Computation of the representation of the Frobenius mor- 
phism Denote by mj, . . . , m^ 9+1 G M c the elements of a basis of the space 
Fl\ IWc {V, k*A^ k ) computed with analytic precision 1. For j = 1, . . . , 4g + 1, we 

write, ml = (m 3 Xi , . . . , m{ 2g+1 , m^). 

Next, for a fixed A G A, we do the following operations: 

1. For j = 1, . . . ,Ag + 1, compute the action of the local Frobenius -Fs(m^) 
up to the analytic precision Pi using the local differential equation given by 
Proposition 8. 

2. In the expression of m^, replace Y by Vgm,\{Y) = ^X)fc-d a ^ where 
J2eL-d a ^ f IS tne l° ca l expression in A of the lift of the relative Frobenius 
morphism obtained in Step 1. Then develop to obtain m'\ = Fs(m^). 

For the first operation, we have to compute the constant term Fs{uj) of 
Equation (14) associated to m\. Keeping the notations of Section 4.1 Step 3, we 
have 

F B ( £ MPrx>(<t>X'(fi)))4,M) = E MMPrx>(<f>x>{fi)))).<fi i (Or. 

A'GA X'EA 

For A' £ A, we have to compute the action of Fb on principal parts of the 
form l/(t — A') and develop in A. The first thing can be done by computing a 
local development in A of t p — A' and then use a Newton iteration to inverse the 
result. These operations take 0(log(g)PiP2) time and has to be repeated 0(g) 
times with 0(g \og(q)P\P2) memory consumption. 

Using the asymptotically fast algorithm provided by Theorem 2 of [BCO+07] 
the total amount of time for solving 0(g) equations is 0(g \og(q)P\P2)- 

The second step is just 0(g) products of series with analytic precision Pi 
which takes 0(g\og(q)PiP 2 ). 



For A running in A, all the preceding operations allows us to recover m!\ 
with analytic precision Pi for j = 1, . . . , Ag + 1 and A e A for 0(g 2 log(g)PiP 2 ) 
time and 0(g log(g)PiP 2 ) memory consumption. 

The next thing to do is for j = 1, . . . , 4g + 1 and for A 6 A 0} subtract 
the principal part of m!\ to m 13 ^ to recover F oc (m :) oc ). In order to compute 
the contribution of the principal part of m'\ in oo, we have to obtain a local 
development in oo of an element of R\. By considering a Laurent series in A as 
an analytic series in A times a term of the form l/(t — A) m °, we have to compute 
a local development in oo of an analytic series S\(t) and on the other side of a 
term of form 1/ (t — X) m ° and then take the product. The local development in oo 
of S\(t) with precision Pi can be done by computing the evaluation 5a (1 + At) 
which can be decomposed into the evaluation of S\(l+t') using the shift operator 
for polynomials described in [ASU75] and the substitution t' = At. This can be 
done in 0(log(g)P 1 P 2 ) time. To compute a development l/(i — X) m ° in oo we 
have to compute a development of 1/(1 + Xt) and raise the result to the power 
m . As m is in the order of Pi this can be done in O (log (Pi) log(g)PiP 2 ). 

All these operations have to be repeated 0{g 2 ) times for a total cost of 
6{g 2 \og(q)P 1 P 2 ). 

The following lemma shows that in order to express F(m c ) as a linear com- 
bination of the basis vectors of H\j W C (V, n^A^) it is enough to do it for the 
local component at the infinity point. 

Lemma 3. Let m c = (mx 1 , . . . , m\ 2g +i, «ioo) be an element of Hlj Wc (V,^ if A^ K ) 
such that for each A we have ra\ = Y.f\ with f\ a power series in t — A. Write 
foe = J2iLo a et e - Iff or (■ = 0, • • • , 2g + 1, at = then m c = 0. 

Proof. Let at denote the constant term of f\ t . Let t' = By Proposition 2, 
the power series /oo(i') satisfies an equation 

^f 00 + t'H(t')f 00 =u(t') 

where H is a power series 

«(*') = lH E 

£>0 i=l,...,2g+l 

Hence, if the first 2g + 2 coefficients of /oo are zero then we have 



E 



a,Af = 



i=l,...,2g+l 

for I = 1 . . . 2g + 1. Now since the Ai are distinct and since the matrix 

v2 X 2g+1< * 



M = 



( ^ 1 -% <\ 

A 2 A 2 ... A 2 



\ \ \2 \ 2 9+ 1 I 

\^2g+l A 2g+1 ••■ A 2g+1 / 



is the transpose of a minor of a Vandcrmonde matrix all the oa are zero. 



Using the preceding lemma, the decomposition of F(m c ) in term of the basis 
vectors costs 0(g 3 \og(q)P 2 ) using the algorithm of Gauss. 

In all the running time of Step 2 in 0(g 2 \og(q)PiP 2 ) and the memory con- 
sumption is 0(glog(q)P 1 P 2 + g 2 \og(q)P 2 ). 

Step 3: Norm computation Compute 

M E — M F Mp . . . Mp" , 
using the divide and conquer approach presented in [KedOl]. This requires 

— 0(log(n)) multiplications oi2gx2g matrices each one of which costs 0(g 3 \og(q)P 2 ) 
time; 

— 0(g 2 ) application of the Frobenius morphism at the expense of 0(log(q)P 2 ) 
time ([CFA+06]). 

The overall time and memory consumption are bounded respectively by 0(g 3 \og(q)P 2 ) 
andO( 3 2 log(g)P 2 ). 

Proposition 9. Let Ck be an hyperelliptic curve of genus g over the finite field 
k with cardinality q. We suppose that the ramification points of Ck are ratio- 
nal. There exists an algorithm to compute the action of the Frobenius mor- 
phism on H\j W c (Ck/ K) with analytic precision P\ and p-adic precision P 2 

with time complexity 0(g 2 \og(q)PiP 2 ) + 0(g 3 \og(q)P 2 ) and memory complexity 
0(g\og(q)P 1 P 2 + g 2 \og(q)P 2 ). 

6 Overall complexity analysis 

In this paragraph, we gather the results of Section 4.2 and Section 5.5 in order to 
give time and memory complexity bounds for the computation of the number of 
rational points of an hyperelliptic curve defined over a finite field of characteristic 
p and cardinality q = p n using our algorithm. 

First, we have to assess the analytic Pi and p-adic precision P 2 of the com- 
putations. By the Riemann hypothesis for curves, we know that it is enough to 
compute the coefficients of the matrix Mp with precision g/2.n + (2g + l) log p (2). 

Next, by Theorem 2, we can take Pi — 0(P 2 ) and we get the 

Theorem 3. Let Ck be an hyperelliptic curve of genus g over the finite field 
k. Let n be the absolute degree of k. We suppose that the ramification points of 
Ck are rational. There exists an algorithm to compute the characteristic poly- 
nomial of the Frobenius morphism acting on H] aw JyCkj ' K) with 0(g 4 n 3 ) time 
complexity and 0{g 3 n 3 ) memory complexity. 

The algorithm described in the preceding sections have been implemented in 
magma [CL08] . Our implementation is only aimed at showing the correctness of 
our algorithm. 



7 Conclusion 



In this paper we have described an algorithm to count the number of rational 
points of an hypcrclliptic curve over a finite field of odd characteristic using 
Monsky-Washnitzer cohomology with compact support. The worst case com- 
plexity of our algorithm is quasi-cubic in the absolute degree of the base field. 
We remark that the base computation can be easily adapted for more general 
curves. The reason why we focus on the case of hyperelliptic curves in this paper 
is that for more general curves the assessment of the analytic precision necessary 
for the computations is more difficult. Actually, in order to treat more general 
curves it is necessary to obtain an explicit logarithmic bound for the elements 
of a basis of the cohomology. The result we used in this paper guarantees such a 
bound provided that the connection matrix has only simple poles and that the 
exponents of the local differential equations are prepared. This last condition on 
the exponents means that they are non integral or null rationals numbers which 
differences are zero if they are integral. In our case, the exponents are and 
-1/2. 
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